Merge branch 'develop' into proof-aggregation-circuit

Author: zhenfeizhang

bus-mapping/src/circuit_input_builder.rs

@@ -48,7 +48,9 @@ use std::{
     collections::{BTreeMap, HashMap},
     iter,
 };
-pub use transaction::{Transaction, TransactionContext, TxL1Fee, TX_L1_FEE_PRECISION};
+pub use transaction::{
+    Transaction, TransactionContext, TxL1Fee, TX_L1_COMMIT_EXTRA_COST, TX_L1_FEE_PRECISION,
+};
 
 /// Circuit Setup Parameters
 #[derive(Debug, Clone, Copy)]
@@ -587,19 +589,18 @@ pub fn keccak_inputs(block: &Block, code_db: &CodeDB) -> Result<Vec<Vec<u8>>, Er
     let mut keccak_inputs = Vec::new();
     // Tx Circuit
     let txs: Vec<geth_types::Transaction> = block.txs.iter().map(|tx| tx.into()).collect();
-    keccak_inputs.extend_from_slice(&keccak_inputs_tx_circuit(&txs, block.chain_id())?);
+    keccak_inputs.extend_from_slice(&keccak_inputs_tx_circuit(&txs)?);
     log::debug!(
         "keccak total len after txs: {}",
         keccak_inputs.iter().map(|i| i.len()).sum::<usize>()
     );
     // PI circuit
-    keccak_inputs.push(keccak_inputs_pi_circuit(
-        block.chain_id(),
+    keccak_inputs.extend(keccak_inputs_pi_circuit(
+        block.chain_id,
         block.prev_state_root,
         block.withdraw_root,
         &block.headers,
         block.txs(),
-        block.circuits_params.max_txs,
     ));
     // Bytecode Circuit
     for _bytecode in code_db.0.values() {
@@ -645,10 +646,10 @@ pub fn keccak_inputs_sign_verify(sigs: &[SignData]) -> Vec<Vec<u8>> {
     inputs
 }
 
-/// Generate a dummy tx in which
-/// (nonce=0, gas=0, gas_price=0, to=0, value=0, data="", chain_id)
+/// Generate a dummy pre-eip155 tx in which
+/// (nonce=0, gas=0, gas_price=0, to=0, value=0, data="")
 /// using the dummy private key = 1
-pub fn get_dummy_tx(chain_id: u64) -> (TransactionRequest, Signature) {
+pub fn get_dummy_tx() -> (TransactionRequest, Signature) {
     let mut sk_be_scalar = [0u8; 32];
     sk_be_scalar[31] = 1_u8;
 
@@ -661,22 +662,28 @@ pub fn get_dummy_tx(chain_id: u64) -> (TransactionRequest, Signature) {
         .gas_price(U256::zero())
         .to(Address::zero())
         .value(U256::zero())
-        .data(Bytes::default())
-        .chain_id(chain_id);
+        .data(Bytes::default());
+    let sighash: H256 = keccak256(tx.rlp_unsigned()).into();
 
     // FIXME: need to check if this is deterministic which means sig is fixed.
-    let sig = wallet.sign_transaction_sync(&tx.clone().into());
+    let sig = wallet.sign_hash(sighash);
+    assert_eq!(sig.v, 28);
 
     (tx, sig)
 }
 
 /// Get the tx hash of the dummy tx (nonce=0, gas=0, gas_price=0, to=0, value=0,
-/// data="") for any chain_id
-pub fn get_dummy_tx_hash(chain_id: u64) -> H256 {
-    let (tx, sig) = get_dummy_tx(chain_id);
+/// data="")
+pub fn get_dummy_tx_hash() -> H256 {
+    let (tx, sig) = get_dummy_tx();
 
     let tx_hash = keccak256(tx.rlp_signed(&sig));
 
+    assert_eq!(
+        hex::encode(tx_hash),
+        "137c41d53f2e633af81c75e938f6ccf7298ad6d2fa698b19a50545c1ae5b2b85"
+    );
+
     H256(tx_hash)
 }
 
@@ -686,59 +693,43 @@ fn keccak_inputs_pi_circuit(
     withdraw_trie_root: Word,
     block_headers: &BTreeMap<u64, BlockHead>,
     transactions: &[Transaction],
-    max_txs: usize,
-) -> Vec<u8> {
-    let dummy_tx_hash = get_dummy_tx_hash(chain_id);
-
-    let result = iter::empty()
-        // state roots
-        .chain(prev_state_root.to_be_bytes())
-        .chain(
-            block_headers
-                .last_key_value()
-                .map(|(_, blk)| blk.eth_block.state_root)
-                .unwrap_or(H256(prev_state_root.to_be_bytes()))
-                .to_fixed_bytes(),
-        )
-        // withdraw trie root
-        .chain(withdraw_trie_root.to_be_bytes())
+) -> Vec<Vec<u8>> {
+    let data_bytes = iter::empty()
         .chain(block_headers.iter().flat_map(|(block_num, block)| {
             let num_txs = transactions
                 .iter()
                 .filter(|tx| tx.block_num == *block_num)
                 .count() as u16;
-            let parent_hash = block.eth_block.parent_hash;
-            let block_hash = block.eth_block.hash.unwrap_or(H256::zero());
-            let num_l1_msgs = 0_u16; // 0 for now
 
             iter::empty()
                 // Block Values
-                .chain(block_hash.to_fixed_bytes())
-                .chain(parent_hash.to_fixed_bytes()) // parent hash
                 .chain(block.number.as_u64().to_be_bytes())
                 .chain(block.timestamp.as_u64().to_be_bytes())
                 .chain(block.base_fee.to_be_bytes())
                 .chain(block.gas_limit.to_be_bytes())
                 .chain(num_txs.to_be_bytes())
-                .chain(num_l1_msgs.to_be_bytes())
         }))
         // Tx Hashes
         .chain(transactions.iter().flat_map(|tx| tx.hash.to_fixed_bytes()))
-        .chain(
-            (0..(max_txs - transactions.len()))
-                .into_iter()
-                .flat_map(|_| dummy_tx_hash.to_fixed_bytes()),
-        )
+        .collect::<Vec<u8>>();
+    let data_hash = H256(keccak256(&data_bytes));
+    let after_state_root = block_headers
+        .last_key_value()
+        .map(|(_, blk)| blk.eth_block.state_root)
+        .unwrap_or(H256(prev_state_root.to_be_bytes()));
+    let pi_bytes = iter::empty()
+        .chain(chain_id.to_be_bytes())
+        .chain(prev_state_root.to_be_bytes())
+        .chain(after_state_root.to_fixed_bytes())
+        .chain(withdraw_trie_root.to_be_bytes())
+        .chain(data_hash.to_fixed_bytes())
         .collect::<Vec<u8>>();
 
-    result
+    vec![data_bytes, pi_bytes]
 }
 
 /// Generate the keccak inputs required by the Tx Circuit from the transactions.
-pub fn keccak_inputs_tx_circuit(
-    txs: &[geth_types::Transaction],
-    chain_id: u64,
-) -> Result<Vec<Vec<u8>>, Error> {
+pub fn keccak_inputs_tx_circuit(txs: &[geth_types::Transaction]) -> Result<Vec<Vec<u8>>, Error> {
     let mut inputs = Vec::new();
 
     let hash_datas = txs
@@ -747,7 +738,7 @@ pub fn keccak_inputs_tx_circuit(
         .collect::<Vec<Vec<u8>>>();
     let dummy_hash_data = {
         // dummy tx is a legacy tx.
-        let (dummy_tx, dummy_sig) = get_dummy_tx(chain_id);
+        let (dummy_tx, dummy_sig) = get_dummy_tx();
         dummy_tx.rlp_signed(&dummy_sig).to_vec()
     };
     inputs.extend_from_slice(&hash_datas);
@@ -783,8 +774,9 @@ pub fn keccak_inputs_tx_circuit(
     // one that we use in get_dummy_tx, so we only need to include the tx sign
     // hash of the dummy tx.
     let dummy_sign_input = {
-        let (dummy_tx, _) = get_dummy_tx(chain_id);
-        dummy_tx.rlp().to_vec()
+        let (dummy_tx, _) = get_dummy_tx();
+        // dummy tx is of type pre-eip155
+        dummy_tx.rlp_unsigned().to_vec()
     };
     inputs.push(dummy_sign_input);
 

bus-mapping/src/circuit_input_builder/block.rs

@@ -7,7 +7,7 @@ use crate::{
     operation::{OperationContainer, RWCounter},
     Error,
 };
-use eth_types::{Address, Hash, ToWord, Word};
+use eth_types::{sign_types::SignData, Address, Hash, ToWord, Word};
 use std::collections::{BTreeMap, HashMap};
 
 /// Context of a [`Block`] which can mutate in a [`Transaction`].
@@ -153,6 +153,8 @@ pub struct Block {
     pub code: HashMap<Hash, Vec<u8>>,
     /// Inputs to the SHA3 opcode
     pub sha3_inputs: Vec<Vec<u8>>,
+    /// IO to/from the precompile Ecrecover calls.
+    pub ecrecover_events: Vec<SignData>,
     /// Block-wise steps
     pub block_steps: BlockSteps,
     /// Exponentiation events in the block.
@@ -246,4 +248,8 @@ impl Block {
     pub fn add_exp_event(&mut self, event: ExpEvent) {
         self.exp_events.push(event);
     }
+    /// Push an ecrecover event to the block.
+    pub fn add_ecrecover_event(&mut self, event: SignData) {
+        self.ecrecover_events.push(event);
+    }
 }

bus-mapping/src/circuit_input_builder/transaction.rs

@@ -20,6 +20,8 @@ use super::{call::ReversionGroup, Call, CallContext, CallKind, CodeSource, ExecS
 
 /// Precision of transaction L1 fee
 pub const TX_L1_FEE_PRECISION: u64 = 1_000_000_000;
+/// Extra cost as the bytes of rlped tx commited to L1 (assume to non-zero, overestimated a bit)
+pub const TX_L1_COMMIT_EXTRA_COST: u64 = 64;
 
 #[derive(Debug, Default)]
 /// Context of a [`Transaction`] which can mutate in an [`ExecStep`].
@@ -460,7 +462,7 @@ impl TxL1Fee {
     /// Calculate L1 fee and remainder of transaction.
     pub fn tx_l1_fee(&self, tx_data_gas_cost: u64) -> (u64, u64) {
         // <https://github.com/scroll-tech/go-ethereum/blob/49192260a177f1b63fc5ea3b872fb904f396260c/rollup/fees/rollup_fee.go#L118>
-        let tx_l1_gas = tx_data_gas_cost + self.fee_overhead;
+        let tx_l1_gas = tx_data_gas_cost + self.fee_overhead + TX_L1_COMMIT_EXTRA_COST;
         let tx_l1_fee = self.fee_scalar as u128 * self.base_fee as u128 * tx_l1_gas as u128;
 
         (

circuit-benchmarks/src/pi_circuit.rs

@@ -25,7 +25,7 @@ mod tests {
     use rand::SeedableRng;
     use rand_xorshift::XorShiftRng;
     use zkevm_circuits::{
-        pi_circuit::{PiCircuit, PiTestCircuit},
+        pi_circuit::{dev::PiTestCircuit, PiCircuit},
         util::SubCircuit,
         witness::{block_convert, Block},
     };

circuit-benchmarks/src/tx_circuit.rs

@@ -24,7 +24,9 @@ mod tests {
     use rand::SeedableRng;
     use rand_chacha::ChaCha20Rng;
     use std::env::var;
-    use zkevm_circuits::{tx_circuit::TxCircuit, util::SubCircuit, witness::block_convert};
+    use zkevm_circuits::{
+        tx_circuit::TestTxCircuit as TxCircuit, util::SubCircuit, witness::block_convert,
+    };
 
     use bus_mapping::rpc::GethClient;
     use ethers::providers::Http;

eth-types/src/geth_types.rs

@@ -333,7 +333,7 @@ impl Transaction {
             .try_into()
             .expect("hash length isn't 32 bytes");
         let v = self.tx_type.get_recovery_id(self.v);
-        let pk = recover_pk(v, &self.r, &self.s, &msg_hash)?;
+        let pk = recover_pk(v as u8, &self.r, &self.s, &msg_hash)?;
         // msg_hash = msg_hash % q
         let msg_hash = BigUint::from_bytes_be(msg_hash.as_slice());
         let msg_hash = msg_hash.mod_floor(&*SECP256K1_Q);
@@ -343,7 +343,7 @@ impl Transaction {
             libsecp256k1::Error::InvalidMessage,
         )?;
         Ok(SignData {
-            signature: (sig_r, sig_s),
+            signature: (sig_r, sig_s, v as u8),
             pk,
             msg,
             msg_hash,

eth-types/src/sign_types.rs

@@ -1,7 +1,10 @@
 //! secp256k1 signature types and helper functions.
 
-use crate::{ToBigEndian, Word};
-use ethers_core::types::Bytes;
+use crate::{ToBigEndian, ToWord, Word};
+use ethers_core::{
+    types::{Address, Bytes},
+    utils::keccak256,
+};
 use halo2_proofs::{
     arithmetic::{CurveAffine, FieldExt},
     halo2curves::{
@@ -23,32 +26,33 @@ pub fn sign(
     randomness: secp256k1::Fq,
     sk: secp256k1::Fq,
     msg_hash: secp256k1::Fq,
-) -> (secp256k1::Fq, secp256k1::Fq) {
+) -> (secp256k1::Fq, secp256k1::Fq, u8) {
     let randomness_inv =
         Option::<secp256k1::Fq>::from(randomness.invert()).expect("cannot invert randomness");
     let generator = Secp256k1Affine::generator();
     let sig_point = generator * randomness;
+    let sig_v: bool = sig_point.to_affine().y.is_odd().into();
+
     let x = *Option::<Coordinates<_>>::from(sig_point.to_affine().coordinates())
         .expect("point is the identity")
         .x();
 
-    let x_repr = &mut vec![0u8; 32];
-    x_repr.copy_from_slice(x.to_bytes().as_slice());
-
     let mut x_bytes = [0u8; 64];
-    x_bytes[..32].copy_from_slice(&x_repr[..]);
+    x_bytes[..32].copy_from_slice(&x.to_bytes());
 
     let sig_r = secp256k1::Fq::from_bytes_wide(&x_bytes); // get x cordinate (E::Base) on E::Scalar
+
     let sig_s = randomness_inv * (msg_hash + sig_r * sk);
-    (sig_r, sig_s)
+    (sig_r, sig_s, u8::from(sig_v))
 }
 
 /// Signature data required by the SignVerify Chip as input to verify a
 /// signature.
 #[derive(Clone, Debug)]
 pub struct SignData {
-    /// Secp256k1 signature point
-    pub signature: (secp256k1::Fq, secp256k1::Fq),
+    /// Secp256k1 signature point (r, s, v)
+    /// v must be 0 or 1
+    pub signature: (secp256k1::Fq, secp256k1::Fq, u8),
     /// Secp256k1 public key
     pub pk: Secp256k1Affine,
     /// Message being hashed before signing.
@@ -57,7 +61,20 @@ pub struct SignData {
     pub msg_hash: secp256k1::Fq,
 }
 
+impl SignData {
+    /// Recover address of the signature
+    pub fn get_addr(&self) -> Word {
+        let pk_le = pk_bytes_le(&self.pk);
+        let pk_be = pk_bytes_swap_endianness(&pk_le);
+        let pk_hash = keccak256(pk_be);
+        let mut addr_bytes = [0u8; 20];
+        addr_bytes.copy_from_slice(&pk_hash[12..]);
+        Address::from(addr_bytes).to_word()
+    }
+}
+
 lazy_static! {
+    // FIXME: use Transaction::dummy().sign_data() instead when we merged the develop branch
     static ref SIGN_DATA_DEFAULT: SignData = {
         let generator = Secp256k1Affine::generator();
         let sk = secp256k1::Fq::one();
@@ -80,10 +97,10 @@ lazy_static! {
             .expect("hash length isn't 32 bytes");
         let msg_hash = secp256k1::Fq::from_bytes(&msg_hash).unwrap();
         let randomness = secp256k1::Fq::one();
-        let (sig_r, sig_s) = sign(randomness, sk, msg_hash);
+        let (sig_r, sig_s, v) = sign(randomness, sk, msg_hash);
 
         SignData {
-            signature: (sig_r, sig_s),
+            signature: (sig_r, sig_s, v),
             pk,
             msg: msg.into(),
             msg_hash,
@@ -92,12 +109,12 @@ lazy_static! {
 }
 
 impl Default for SignData {
+    // Hardcoded valid signature corresponding to a hardcoded private key and
+    // message hash generated from "nothing up my sleeve" values to make the
+    // ECDSA chip pass the constraints, to be use for padding signature
+    // verifications (where the constraints pass, but we don't care about the
+    // message hash and public key).
     fn default() -> Self {
-        // Hardcoded valid signature corresponding to a hardcoded private key and
-        // message hash generated from "nothing up my sleeve" values to make the
-        // ECDSA chip pass the constraints, to be use for padding signature
-        // verifications (where the constraints pass, but we don't care about the
-        // message hash and public key).
         SIGN_DATA_DEFAULT.clone()
     }
 }

integration-tests/tests/mainnet.rs

@@ -15,7 +15,7 @@ use zkevm_circuits::{
     rlp_circuit_fsm::RlpCircuit,
     state_circuit::StateCircuit,
     super_circuit::SuperCircuit,
-    tx_circuit::TxCircuit,
+    tx_circuit::TestTxCircuit as TxCircuit,
     util::{Challenges, SubCircuit},
     witness,
     witness::Transaction,

mock/src/transaction.rs

@@ -12,7 +12,7 @@ use ethers_core::{
 use ethers_signers::{LocalWallet, Signer};
 use lazy_static::lazy_static;
 use rand::SeedableRng;
-use rand_chacha::ChaCha20Rng;
+use rand_chacha::{rand_core::OsRng, ChaCha20Rng};
 
 lazy_static! {
     /// Collection of correctly hashed and signed Transactions which can be used to test circuits or opcodes that have to check integrity of the Tx itself.
@@ -171,7 +171,8 @@ impl Default for MockTransaction {
             block_hash: Hash::zero(),
             block_number: U64::zero(),
             transaction_index: U64::zero(),
-            from: AddrOrWallet::Addr(MOCK_ACCOUNTS[0]),
+            //from: AddrOrWallet::Addr(MOCK_ACCOUNTS[0]),
+            from: AddrOrWallet::random(&mut OsRng),
             to: None,
             value: Word::zero(),
             gas_price: *MOCK_GASPRICE,